What is SeBackupPrivilege
SeBackupPrivilege is a Windows user privilege that grants a user the ability to bypass file and directory access restrictions and perform backup and restore operations on files and directories. By leveraging this privilege, an attacker can gain access to sensitive files, such as the SAM and SYSTEM files on a domain controller, and extract password hashes for all user accounts in the domain.
What are SAM and SYSTEM files
The Security Accounts Manager (SAM) is a database file in the Microsoft Windows operating system (OS) that contains usernames and passwords. The SYSTEM file contains information about the Windows system, including hardware and software configurations, as well as security-related settings such as system services and drivers.
The SAM file contains password hashes for local user accounts on the system, while the SYSTEM file contains the necessary keys and algorithms to encrypt the password hashes. Without the SYSTEM file, the password hashes stored in the SAM file would be essentially useless, as they could not be properly decrypted.
Abusing SeBackupPrivilge
Scenario: We have a shell as J.Williams who has the SeBackupPrivilege
We can use reg.exe to save the SAM and SYSTEM files to our current directory.
reg save hklm\SAM C:\Users\J.Williams\SAMreg save hklm\SAM C:\Users\J.Williams\SYSTEM
Now we need to download those two files to our Kali.
We can exit evil-winrm and check if the files have been downloaded.
The names are a little strange so I recommend renaming the files.
There are two ways we can dump credentials with the SAM and SYSTEM files. First method is with the impacket-secretsdump tool.
impacket-secretsdump -system SYSTEM -sam SAM local
Second method is with the pypykatz tool
pypykatz registry --sam SAM SYSTEM
Note: aad3b435b51404eeaad3b435b51404ee represents a NULL hash but af9627ead6df998951aa0bcb53301ff0 is the Administrator hash
Thanks for reading! Be sure to share the post if you enjoyed it.
